aws only public subnets coverage #62226

jianlinliu · 2025-02-28T11:53:56Z

Installer supports OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY, once it enabled, that means the vpc would be NAT-less, installer would only depends on public subnets. The feature can help save budget for nat gateway cost.

openshift-ci-robot · 2025-02-28T11:56:51Z

@jianlinliu, pj-rehearse: unable to determine affected jobs. This could be due to a branch that needs to be rebased. ERROR:

could not determine changed registry steps: could not load step registry: file /var/tmp/gitrepo656459136/ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/deprovision/cucushift-installer-rehearse-aws-ipi-private-deprovision-chain.yaml has incorrect prefix. Prefix should be cucushift-installer-rehearse-aws-ipi-byo-subnets-deprovision

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

jianlinliu · 2025-02-28T12:51:03Z

/pj-rehearse periodic-ci-openshift-verification-tests-master-installation-nightly-4.18-aws-ipi-byo-subnets-only-public-arm-f14

openshift-ci-robot · 2025-02-28T12:51:05Z

@jianlinliu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

jianlinliu · 2025-03-01T11:45:56Z

/pj-rehearse periodic-ci-openshift-verification-tests-master-installation-nightly-4.18-aws-ipi-byo-subnets-only-public-arm-f14

openshift-ci-robot · 2025-03-01T11:45:58Z

@jianlinliu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

jianlinliu · 2025-03-03T01:28:32Z

/pj-rehearse periodic-ci-openshift-verification-tests-master-installation-nightly-4.18-aws-ipi-byo-subnets-only-public-arm-f14

openshift-ci-robot · 2025-03-03T01:28:34Z

@jianlinliu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

jianlinliu · 2025-03-03T03:50:14Z

/pj-rehearse periodic-ci-openshift-verification-tests-master-installation-nightly-4.18-aws-ipi-byo-subnets-only-public-arm-f14

openshift-ci-robot · 2025-03-03T03:50:18Z

@jianlinliu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

jianlinliu · 2025-03-03T05:27:50Z

/pj-rehearse periodic-ci-openshift-verification-tests-master-installation-nightly-4.18-aws-ipi-byo-subnets-only-public-arm-f14

openshift-ci-robot · 2025-03-03T05:27:52Z

@jianlinliu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

jianlinliu · 2025-03-03T07:11:54Z

/pj-rehearse periodic-ci-openshift-verification-tests-master-installation-nightly-4.19-aws-ipi-shared-phz-sts-f14

openshift-ci-robot · 2025-03-03T07:11:57Z

@jianlinliu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

jianlinliu · 2025-03-03T07:13:03Z

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-aws-ipi-workers-marketplace-public-subnets-mini-perm-f7

openshift-ci-robot · 2025-03-03T07:13:06Z

@jianlinliu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

jianlinliu · 2025-03-03T08:37:05Z

rehearse testing jobs get passed.

When OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY enabled, job is here.
When OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY disabled (by default), job is here.

cc @yunjiang29 to review.

jianlinliu · 2025-03-03T09:47:09Z

/pj-rehearse periodic-ci-openshift-verification-tests-master-installation-nightly-4.18-aws-ipi-byo-subnets-only-public-arm-f14

openshift-ci-robot · 2025-03-03T09:47:12Z

@jianlinliu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

openshift-ci-robot · 2025-03-04T02:54:10Z

@jianlinliu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

openshift-ci-robot · 2025-03-04T02:57:36Z

@jianlinliu: job(s): periodic-ci-openshift-verification-tests-master-installation-nightly-4.18-aws-ipi-byo-subnets-only-public-arm-f14 either don't exist or were not found to be affected, and cannot be rehearsed

jianlinliu · 2025-03-04T03:11:27Z

/pj-rehearse periodic-ci-openshift-verification-tests-master-installation-nightly-4.18-aws-ipi-byo-subnets-only-public-mini-perm-arm-f14

openshift-ci-robot · 2025-03-04T03:11:29Z

@jianlinliu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

openshift-ci · 2025-03-04T04:30:37Z

@jianlinliu: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-openshift-verification-tests-master-installation-nightly-4.18-aws-ipi-byo-subnets-only-public-arm-f14	`b994771`	link	unknown	`/pj-rehearse periodic-ci-openshift-verification-tests-master-installation-nightly-4.18-aws-ipi-byo-subnets-only-public-arm-f14`
ci/rehearse/periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-aws-ipi-workers-marketplace-public-subnets-mini-perm-f7	`ff69bee`	link	unknown	`/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-aws-ipi-workers-marketplace-public-subnets-mini-perm-f7`

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

yunjiang29 · 2025-03-04T09:39:46Z

/assign @yunjiang29

yunjiang29

@jianlinliu some comments below

yunjiang29 · 2025-03-04T09:59:08Z

...ator/step-registry/aws/provision/tags-for-byo-vpc/aws-provision-tags-for-byo-vpc-commands.sh

-private_subnet_ids=$(yq-go r -j ${SHARED_DIR}/private_subnet_ids | jq -r '[ . | join(" ") ] | @csv' | sed "s/\"//g")
+
+if [[ "${OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY}" == "true" ]]; then
+    private_subnet_ids=$(yq-go r -j ${SHARED_DIR}/public_subnet_ids | jq -r '[ . | join(" ") ] | @csv' | sed "s/\"//g")


To avoid confusion, I'd suggest replacing private_subnet_ids with subnet_ids

yunjiang29 · 2025-03-04T10:15:58Z

...o-subnets/cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets-workflow.yaml

@@ -0,0 +1,9 @@
+workflow:
+  as: cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets


Is this workflow used in the jobs?

I was planing to use this install workflow to cover marketplace ci jobs, in the last minutes, I decided to do that later, just developed the new install workflow here for later reference.

yunjiang29 · 2025-03-04T10:40:05Z

...r/step-registry/ipi/conf/aws/user-min-permissions/ipi-conf-aws-user-min-permissions-ref.yaml

+    - name: OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY
+      default: ""
+      documentation: |-
+        Whether to use only public subnets for AWS. Implies no NAT Gateways.


Suggest to add a note that indicates OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY will be used by create permissions-policy validation.

yunjiang29 · 2025-03-04T11:02:17Z

Additional node, once OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY enabled:

The stack output PrivateRouteTableIds and PrivateSubnetIds is empty.
The file ${SHARED_DIR}/private_subnet_ids is empty: []

This works well on current PR/jobs, but I'm not sure if it will cause other potential issues in other job configs with OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY enabled, we need to pay more attentions while enable OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY on other jobs.

jianlinliu · 2025-03-04T11:07:18Z

This works well on current PR/jobs, but I'm not sure if it will cause other potential issues in other job configs with OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY enabled, we need to pay more attentions while enable OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY on other jobs.

So far, there is no many other jobs enabled OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY beside openshift-e2e-aws-publicsubnets. The install workflow is different from the ones in this PR, no much overlap with the ones in this PR. So I guess it should be low risky.

jianlinliu · 2025-03-04T11:20:56Z

/pj-rehearse periodic-ci-openshift-verification-tests-master-installation-nightly-4.18-aws-ipi-byo-subnets-only-public-mini-perm-arm-f14

openshift-ci-robot · 2025-03-04T11:20:59Z

@jianlinliu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

jianlinliu · 2025-03-04T13:01:16Z

/pj-rehearse periodic-ci-openshift-verification-tests-master-installation-nightly-4.19-aws-ipi-shared-phz-sts-f14

openshift-ci-robot · 2025-03-04T13:01:18Z

@jianlinliu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

jianlinliu · 2025-03-05T01:00:55Z

rehearse testing jobs get passed.

When OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY enabled, job is here.
When OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY disabled (by default), job is here.

openshift-ci-robot · 2025-03-05T01:08:07Z

[REHEARSALNOTIFIER]
@jianlinliu: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-local-storage-operator-release-4.9-e2e-operator	openshift/local-storage-operator	presubmit	Registry content changed
pull-ci-openshift-local-storage-operator-release-4.8-e2e-operator	openshift/local-storage-operator	presubmit	Registry content changed
pull-ci-openshift-local-storage-operator-release-4.7-e2e-operator	openshift/local-storage-operator	presubmit	Registry content changed
pull-ci-openshift-local-storage-operator-release-4.6-e2e-operator	openshift/local-storage-operator	presubmit	Registry content changed
pull-ci-openshift-local-storage-operator-release-4.5-e2e-operator	openshift/local-storage-operator	presubmit	Registry content changed
pull-ci-openshift-local-storage-operator-release-4.4-e2e-operator	openshift/local-storage-operator	presubmit	Registry content changed
pull-ci-openshift-local-storage-operator-release-4.3-e2e-operator	openshift/local-storage-operator	presubmit	Registry content changed
pull-ci-openshift-local-storage-operator-release-4.2-e2e-operator	openshift/local-storage-operator	presubmit	Registry content changed
pull-ci-openshift-local-storage-operator-main-e2e-operator	openshift/local-storage-operator	presubmit	Registry content changed
pull-ci-openshift-local-storage-operator-main-e2e-operator-extended	openshift/local-storage-operator	presubmit	Registry content changed
pull-ci-openshift-local-storage-operator-release-4.20-e2e-operator	openshift/local-storage-operator	presubmit	Registry content changed
pull-ci-openshift-local-storage-operator-release-4.20-e2e-operator-extended	openshift/local-storage-operator	presubmit	Registry content changed
pull-ci-openshift-local-storage-operator-release-4.19-e2e-operator	openshift/local-storage-operator	presubmit	Registry content changed
pull-ci-openshift-local-storage-operator-release-4.19-e2e-operator-extended	openshift/local-storage-operator	presubmit	Registry content changed
pull-ci-openshift-local-storage-operator-release-4.18-e2e-operator	openshift/local-storage-operator	presubmit	Registry content changed
pull-ci-openshift-local-storage-operator-release-4.18-e2e-operator-extended	openshift/local-storage-operator	presubmit	Registry content changed
pull-ci-openshift-local-storage-operator-release-4.17-e2e-operator	openshift/local-storage-operator	presubmit	Registry content changed
pull-ci-openshift-local-storage-operator-release-4.17-e2e-operator-extended	openshift/local-storage-operator	presubmit	Registry content changed
pull-ci-openshift-local-storage-operator-release-4.16-e2e-operator	openshift/local-storage-operator	presubmit	Registry content changed
pull-ci-openshift-local-storage-operator-release-4.16-e2e-operator-extended	openshift/local-storage-operator	presubmit	Registry content changed
pull-ci-openshift-local-storage-operator-release-4.15-e2e-operator	openshift/local-storage-operator	presubmit	Registry content changed
pull-ci-openshift-local-storage-operator-release-4.15-e2e-operator-extended	openshift/local-storage-operator	presubmit	Registry content changed
pull-ci-openshift-local-storage-operator-release-4.14-e2e-operator	openshift/local-storage-operator	presubmit	Registry content changed
pull-ci-openshift-local-storage-operator-release-4.14-e2e-operator-extended	openshift/local-storage-operator	presubmit	Registry content changed
pull-ci-openshift-local-storage-operator-release-4.13-e2e-operator	openshift/local-storage-operator	presubmit	Registry content changed

A total of 9664 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

yunjiang29 · 2025-03-05T01:31:13Z

/lgtm
/pj-rehearse ack

openshift-ci-robot · 2025-03-05T01:31:15Z

@yunjiang29: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

yunjiang29 · 2025-03-05T01:32:31Z

@liangxia please review and approve, thanks

liangxia · 2025-03-05T01:42:43Z

Installer supports OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY, once it enabled, that means the vpc would be NAT-less, installer would only depends on public subnets. The feature can help save budget for nat gateway cost.

@jianlinliu What's the first version that we start to support this ? My team has a card for this and we'd like to apply it to our infrastructures, too.

liangxia · 2025-03-05T01:42:55Z

/approve

openshift-ci · 2025-03-05T01:43:22Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jianlinliu, liangxia, yunjiang29

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~ci-operator/config/openshift/openshift-tests-private/OWNERS~~ [liangxia]
~~ci-operator/config/openshift/verification-tests/OWNERS~~ [jianlinliu,liangxia]
~~ci-operator/jobs/openshift/openshift-tests-private/OWNERS~~ [liangxia]
~~ci-operator/jobs/openshift/verification-tests/OWNERS~~ [jianlinliu,liangxia]
~~ci-operator/step-registry/aws/OWNERS~~ [jianlinliu,liangxia,yunjiang29]
~~ci-operator/step-registry/cucushift/installer/rehearse/aws/OWNERS~~ [jianlinliu,liangxia,yunjiang29]
~~ci-operator/step-registry/ipi/conf/aws/user-min-permissions/OWNERS~~ [jianlinliu,liangxia,yunjiang29]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

jianlinliu · 2025-03-05T02:08:26Z

Installer supports OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY, once it enabled, that means the vpc would be NAT-less, installer would only depends on public subnets. The feature can help save budget for nat gateway cost.

@jianlinliu What's the first version that we start to support this ? My team has a card for this and we'd like to apply it to our infrastructures, too.

From the existing ci jobs to cover the option, sounds it starts from 4.15. After talked with bear, sounds it is not enough to meet your team's requirement, so there is a followup user story.

openshift-ci bot requested review from asood-rh and gpei February 28, 2025 11:54

jianlinliu force-pushed the publicsubnets branch 3 times, most recently from b237ec8 to ba8158a Compare February 28, 2025 12:40

jianlinliu force-pushed the publicsubnets branch from ba8158a to facc2a7 Compare March 1, 2025 11:40

jianlinliu force-pushed the publicsubnets branch from facc2a7 to 5cfc484 Compare March 3, 2025 01:22

jianlinliu force-pushed the publicsubnets branch from 5cfc484 to 7ebcd8b Compare March 3, 2025 03:01

jianlinliu force-pushed the publicsubnets branch from 7ebcd8b to ff69bee Compare March 3, 2025 05:00

jianlinliu force-pushed the publicsubnets branch 2 times, most recently from 2ec5a2f to dcd3744 Compare March 3, 2025 08:57

jianlinliu force-pushed the publicsubnets branch from b994771 to 181b3da Compare March 3, 2025 10:46

openshift-ci bot assigned yunjiang29 Mar 4, 2025

yunjiang29 reviewed Mar 4, 2025

View reviewed changes

jianlinliu force-pushed the publicsubnets branch from 10ddb43 to c342fe2 Compare March 4, 2025 11:08

aws only public subnets coverage

6cb1b96

jianlinliu force-pushed the publicsubnets branch from c342fe2 to 6cb1b96 Compare March 5, 2025 01:02

openshift-ci-robot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Mar 5, 2025

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 5, 2025

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 5, 2025

openshift-merge-bot bot merged commit 103788e into openshift:master Mar 5, 2025
17 checks passed

		@@ -0,0 +1,9 @@
		workflow:
		as: cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets

aws only public subnets coverage #62226

aws only public subnets coverage #62226

Uh oh!

Conversation

jianlinliu commented Feb 28, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci-robot commented Feb 28, 2025

Uh oh!

jianlinliu commented Feb 28, 2025

Uh oh!

openshift-ci-robot commented Feb 28, 2025

Uh oh!

jianlinliu commented Mar 1, 2025

Uh oh!

openshift-ci-robot commented Mar 1, 2025

Uh oh!

jianlinliu commented Mar 3, 2025

Uh oh!

openshift-ci-robot commented Mar 3, 2025

Uh oh!

jianlinliu commented Mar 3, 2025

Uh oh!

openshift-ci-robot commented Mar 3, 2025

Uh oh!

jianlinliu commented Mar 3, 2025

Uh oh!

openshift-ci-robot commented Mar 3, 2025

Uh oh!

jianlinliu commented Mar 3, 2025

Uh oh!

openshift-ci-robot commented Mar 3, 2025

Uh oh!

jianlinliu commented Mar 3, 2025

Uh oh!

openshift-ci-robot commented Mar 3, 2025

Uh oh!

jianlinliu commented Mar 3, 2025

Uh oh!

jianlinliu commented Mar 3, 2025

Uh oh!

openshift-ci-robot commented Mar 3, 2025

Uh oh!

openshift-ci-robot commented Mar 4, 2025

Uh oh!

openshift-ci-robot commented Mar 4, 2025

Uh oh!

jianlinliu commented Mar 4, 2025

Uh oh!

openshift-ci-robot commented Mar 4, 2025

Uh oh!

openshift-ci bot commented Mar 4, 2025

Uh oh!

yunjiang29 commented Mar 4, 2025

Uh oh!

yunjiang29 left a comment

Choose a reason for hiding this comment

Uh oh!

yunjiang29 Mar 4, 2025

Choose a reason for hiding this comment

Uh oh!

jianlinliu Mar 4, 2025

Choose a reason for hiding this comment

Uh oh!

yunjiang29 Mar 4, 2025

Choose a reason for hiding this comment

Uh oh!

jianlinliu Mar 4, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

yunjiang29 Mar 4, 2025

Choose a reason for hiding this comment

Uh oh!

jianlinliu Mar 4, 2025

Choose a reason for hiding this comment

Uh oh!

yunjiang29 commented Mar 4, 2025

Uh oh!

jianlinliu commented Mar 4, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

jianlinliu commented Feb 28, 2025 •

edited

Loading

jianlinliu Mar 4, 2025 •

edited

Loading

jianlinliu commented Mar 4, 2025 •

edited

Loading